Key Takeaways
| # | Takeaway |
| 1 | Risk tolerance is the acceptable level of variation around a specific risk that an organization is prepared to bear after risk treatment, in pursuit of its objectives. |
| 2 | Risk tolerance operates at the individual-risk level. Risk appetite operates at the aggregate, strategic level. The two concepts are related but distinct. |
| 3 | COSO ERM (2017) defines risk tolerance as acceptable variation in outcomes linked to specific performance measures. ISO Guide 73 defines readiness to bear risk after treatment. |
| 4 | Setting tolerance levels requires explicit thresholds (financial, operational, reputational, compliance) calibrated to each risk category and linked to KRIs. |
| 5 | Tolerance without measurement is meaningless. Pair every tolerance statement with a key risk indicator and an escalation trigger. |
| 6 | Review tolerance levels at least annually, after major incidents, and whenever the strategic context shifts. |
| 7 | Clear tolerance levels accelerate decision-making, reduce ambiguity, and give the board confidence that risk-taking stays within defined boundaries. |
Defining Risk Tolerance
Risk tolerance is the specific, measurable boundary of acceptable deviation from an organization’s risk appetite that applies to an individual risk or risk category. The concept answers one question: “How much variation around this particular risk are we prepared to accept before we must act?”
Two leading frameworks define the term. COSO ERM (2017) describes risk tolerance as “the acceptable variation in outcomes related to specific performance measures linked to objectives.” ISO Guide 73:2009 defines risk tolerance as “an organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.”
Both definitions point to the same idea: tolerance is where the rubber meets the road. Appetite is the strategic ambition; tolerance is the tactical guardrail.
Note that ISO 31000:2018 does not use the term “risk tolerance” directly. Instead, the standard uses “risk criteria” to describe the benchmarks against which risk significance is evaluated.
If your organization follows ISO 31000, your tolerance thresholds will appear inside your risk criteria definitions. If you follow COSO, they appear in your risk appetite framework as the permitted deviation band around each appetite statement.
Risk Appetite vs. Risk Tolerance vs. Risk Capacity: Clearing Up the Confusion
These three terms are frequently conflated. The table below separates them cleanly.
| Concept | Definition | Level | Analogy | Typical Owner |
| Risk Appetite | The amount and type of risk an organization is willing to pursue or retain in aggregate (ISO Guide 73) | Strategic / Enterprise-wide | Your speed limit on the open highway: the pace you choose to drive at | Board of Directors / Risk Committee |
| Risk Tolerance | The acceptable variation around the risk appetite that applies to a specific risk or risk category (COSO ERM) | Tactical / Individual risk | The speedometer buffer: you’re comfortable driving 5 mph over the limit, but not 20 mph over | CRO / Risk Owners |
| Risk Capacity | The maximum amount of risk the organization can absorb before its survival is threatened (COSO ERM) | Absolute ceiling | The physical top speed of the car: exceeding this causes structural failure | Board / CFO |
| Risk Threshold | The upper limit of risk appetite; the trigger point above which risk treatment becomes mandatory | Trigger point | The red line on your tachometer: cross this and the engine is at risk | CRO / Risk Manager |
In practice: risk appetite says “We accept moderate cyber risk.” Risk tolerance says “We will tolerate no more than two unpatched critical vulnerabilities open beyond 30 days.”
Risk capacity says “A breach costing more than $50M would threaten our solvency.” The three concepts nest inside each other: capacity > appetite > tolerance.
Our detailed guide on risk appetite vs. risk tolerance expands on this distinction with additional examples by sector.
Why Risk Tolerance Matters
Without explicit tolerance levels, five problems recur across organizations.
| Problem | What Happens | How Tolerance Fixes This |
| Ambiguous decision-making | Managers interpret “moderate risk appetite” differently; one approves a $5M exposure while another rejects a $500K exposure | Tolerance thresholds give every manager the same guardrails: “Maximum single-event loss of $2M per business unit per quarter” |
| No escalation triggers | Risks grow silently because nobody knows when to escalate | Tolerance thresholds linked to KRIs trigger automatic escalation when breached |
| Subjective risk scoring | Assessors score the same risk differently because they have no common benchmark | Tolerance definitions provide calibrated descriptor scales that anchor scoring to objective thresholds |
| Audit and regulatory gaps | Regulators ask “What is your tolerance for compliance risk?” and the organization has no documented answer | Published tolerance statements demonstrate governance maturity and satisfy regulatory due-diligence requirements |
| Over- or under-investment in controls | Organization spends equally on all risks instead of concentrating on those approaching tolerance limits | Tolerance data reveals which risks are closest to their limits, directing control investment where the margin is thinnest |
Building a tolerance framework is a governance investment that pays off across risk assessment, board reporting, and KRI dashboard design.
How To Set Risk Tolerance Levels: A Six-Step Process
| Step | Action | Techniques | Output |
| 1. Start with appetite | Confirm or draft the organization’s risk appetite statement by risk category | Board workshop; peer benchmarking; regulatory review | Approved risk appetite statement |
| 2. Define risk categories | Map risks to a taxonomy so tolerance can be set at the right granularity | Risk taxonomy from ISO 31000 or COSO; existing risk register categories | Risk taxonomy aligned to appetite categories |
| 3. Set quantitative thresholds | Translate each appetite statement into measurable tolerance boundaries per risk category | Financial modeling; scenario analysis; historical loss data; Monte Carlo simulation | Tolerance threshold table |
| 4. Link tolerances to KRIs | Assign at least one key risk indicator to each tolerance threshold; define green/amber/red zones | KRI design workshops; data-source mapping; dashboard configuration | KRI-to-tolerance mapping; dashboard design |
| 5. Define escalation rules | Specify what happens when a tolerance is approaching (amber) or breached (red) | Escalation matrix design; RACI mapping | Escalation matrix document |
| 6. Approve and communicate | Obtain Board Risk Committee approval; publish tolerance statements; train risk owners | Board presentation; policy update; training workshops | Approved tolerance framework; training records |
Our guides on Monte Carlo simulation and scenario analysis show how to derive quantitative tolerance thresholds from probability distributions.
Risk Tolerance Examples by Category
The table below provides sample tolerance statements across seven risk categories. Customize these to your organization’s size, industry, and regulatory context.
| Risk Category | Appetite Statement | Tolerance Threshold | KRI | Escalation Trigger |
| Strategic | Moderate: accept uncertainty in pursuit of growth | Max single-initiative loss ≤ 5% of annual EBITDA | Variance to plan ($ and %) | Variance > 3% EBITDA → CRO review within 7 days |
| Operational | Low: minimize operational disruptions | Unplanned downtime ≤ 4 hours/quarter; RTO ≤ 4 hours | Unplanned downtime hours | Downtime > 2 hours in single incident → incident commander activation |
| Financial / Liquidity | Moderate: managed market and liquidity exposure | Cash reserves above 60-day coverage at all times | Days of cash coverage ratio | Coverage < 75 days → CFO alert; < 60 days → Board notification |
| Compliance | Zero appetite: no material regulatory breaches | Zero high/critical audit findings; all regulatory deadlines met | High/critical compliance findings count | Any high finding → CRO + General Counsel within 24 hours |
| Cyber / IS | Low: data confidentiality and integrity paramount | No unpatched critical CVEs open > 30 days | Unpatched critical CVEs > 30 days | Count > 2 → CISO escalation; > 5 → Board Risk Committee |
| Third-Party | Low: critical vendors must not introduce unacceptable risk | All critical vendors rated Medium or below on scorecard | Vendor risk scorecard rating | Any critical vendor rated High → remediation plan within 14 days |
| ESG / Climate | Moderate: aligned with ISSB S2 and TCFD | Scope 1+2 emissions within 5% of annual pathway | Annual emissions variance (%) | Variance > 5% → Sustainability Committee; > 10% → Board |
Explore more: key risk indicators by sector • ESG KRIs • third-party risk management.
Where Tolerance Fits in the Risk Assessment Process
Risk tolerance is consumed during the risk evaluation stage of ISO 31000 Clause 6.4.4. After risks have been identified and analyzed, evaluation compares scores against tolerance thresholds to produce a decision: accept, treat, escalate, or monitor.
| Risk Score Zone | Tolerance Status | Decision | Action Required |
| Within tolerance (green) | Risk below acceptable deviation | Accept with routine monitoring | Continue controls; monitor KRI on standard cadence |
| Approaching tolerance (amber) | Risk within 10–20% of threshold | Heightened monitoring | Increase KRI frequency; prepare contingent treatment plan; notify risk owner |
| At or beyond tolerance (red) | Risk has breached the limit | Mandatory treatment or escalation | Activate treatment plan immediately; escalate per escalation matrix |
| Beyond capacity | Risk threatens survival | Crisis response | Emergency board session; activate crisis management and BCM plans |
Build this traffic-light framework into your risk assessment policy and your risk register template.
Eight Mistakes That Undermine Risk Tolerance Frameworks
| # | Mistake | Why This Hurts | Fix |
| 1 | Confusing appetite with tolerance | No measurable thresholds; managers have no guardrails | Define appetite at strategic level, then cascade into measurable tolerance per category |
| 2 | Setting tolerance without linking to KRIs | Thresholds exist on paper but nobody monitors them | Assign at least one KRI per threshold; configure automated alerts |
| 3 | Using qualitative labels only | Different managers interpret “moderate” differently | Add quantitative ranges (“Moderate = $1M–$5M single-event loss”) |
| 4 | Identical tolerance across all categories | Operational risk and compliance risk have different profiles | Calibrate per category; zero tolerance on compliance, moderate on strategic |
| 5 | No escalation rules | Breaches go unreported; risk grows silently | Publish escalation matrix with named roles, timeframes, and actions |
| 6 | Never reviewing tolerance levels | Business context shifts but statements stay frozen | Mandate annual review + trigger-based interim reviews |
| 7 | Disconnecting tolerance from board reporting | Board has no visibility into which risks approach limits | Add “tolerance proximity” column to board risk report |
| 8 | Ignoring risk capacity | Aggregate risk exposure could threaten solvency | Map aggregate exposure against capacity; stress-test under adverse scenarios |
90-Day Roadmap: Building a Risk Tolerance Framework
| Phase | Timeline | Actions | Owner | Deliverable |
| Phase 1: Appetite & Taxonomy | Days 1–30 | Confirm/draft risk appetite statement; build risk taxonomy; benchmark peers; review regulatory expectations | CRO / Board Risk Committee | Approved appetite statement; risk taxonomy |
| Phase 2: Thresholds & KRIs | Days 31–60 | Set quantitative tolerance thresholds per category; map KRIs; design green/amber/red zones; define escalation matrix; build dashboard prototype | CRO / Risk Manager / IT | Tolerance table; KRI mapping; escalation matrix; dashboard prototype |
| Phase 3: Approve & Train | Days 61–75 | Present to Board Risk Committee; obtain approval; update risk assessment policy; train first-line risk owners | CRO / HR | Approved framework; updated policy; training records |
| Phase 4: Embed & Monitor | Days 76–90 | Go live with KRI dashboard; run first monitoring cycle; produce first tolerance-proximity board report; schedule quarterly reviews | Risk Manager / CRO | Live dashboard; first board report; review calendar |
The Future of Risk Tolerance
Dynamic, Data-Driven Thresholds. Static annual statements are giving way to thresholds that adjust in real time as KRI feeds update. This requires integrated GRC technology and updated risk assessment policies.
AI-Assisted Calibration. Machine learning models trained on historical loss data can recommend optimal tolerance thresholds. The risk professional validates and adjusts; the model does the quantitative lifting. See AI risk assessment frameworks.
ESG and Climate Tolerance. Regulators including the SEC, ISSB, and the EU CSRD now expect organizations to define tolerance around climate and ESG risks. Our ESG KRI framework shows how to build these thresholds.
Start Defining Your Risk Tolerance Levels Today
Use these riskpublishing.com resources: Risk Appetite vs. Risk Tolerance • Risk Assessment Policy • Risk Register Template • KRI Dashboard Guide • ERM Framework.
More: Monte Carlo Simulation • Scenario Analysis • Risk Quantification • Operational Resilience • Three Lines Model • TPRM • Shadow AI Risk.
Frequently Asked Questions
What is the difference between risk appetite and risk tolerance?
Risk appetite is the broad, strategic statement of how much total risk an organization is willing to pursue. Risk tolerance is the narrower, tactical boundary that defines acceptable variation around a specific risk. Appetite says “we accept moderate risk.” Tolerance says “no more than $2M single-event loss in this category.” See risk appetite vs. risk tolerance.
Can risk tolerance be quantified?
Yes, and best practice demands quantification. Express tolerance as financial ranges, operational metrics (max downtime hours, max defect rate), compliance counts (zero high findings), or time-based limits (patch within 30 days). Qualitative labels alone are insufficient.
How often should risk tolerance levels be reviewed?
At minimum annually, during the strategic planning cycle. Trigger additional reviews after major incidents, M&A activity, regulatory changes, or material shifts in the risk profile.
Who sets risk tolerance?
The Board Risk Committee approves tolerance levels. The CRO and risk function propose thresholds using data and scenarios. First-line risk owners provide operational context. This aligns with the Three Lines Model.
Does ISO 31000 require risk tolerance statements?
ISO 31000:2018 uses “risk criteria” (Clause 6.3.4) rather than “risk tolerance.” In practice, tolerance thresholds are embedded within your risk criteria. COSO ERM uses the term “risk tolerance” explicitly.
References
1. ISO 31000:2018 – Risk Management Guidelines
2. ISO Guide 73:2009 – Risk Management Vocabulary
3. ISO 31010:2019 – Risk Assessment Techniques
4. COSO ERM – Integrating with Strategy and Performance (2017)
5. IIA Three Lines Model (2020)
6. NIST Cybersecurity Framework 2.0
8. IRM – Institute of Risk Management
9. ISO 27001:2022 – Information Security Management
10. ISO 22301:2019 – Business Continuity Management
11. SEC Climate-Related Disclosures
12. IFRS / ISSB Sustainability Standards
13. EU CSRD
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.